If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Timing Attacks

They crack passwords by measuring the time it takes for a computer to respond to a login request. On some login systems, the computer will check password characters one at a time, and kick back a "login failed" message as soon as it spots a bad character in the password. This means a computer returns a completely bad login attempt a tiny bit faster than a login where the first character in the password is correct. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords.

This has been around as a concept for 25 years or so, but a couple of guys reckon that it is not so difficult as previously thought.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Wouldn't this have been easier 25 years ago though? I mean 25 years ago, this form of attack had the following things going for it:

#1. People who weren't trained in Computers (Which wasn't many, this would have been 1984) used passwords they could remember, and didn't think much about "Haxors".

#2. CPUs 25 years ago were slow enough that you could WATCH this. Today, with CPUs more than 20x the speed of the average system back then, and of course, Ethernet being more than a few MBs a second, and most people using a WAY slower net connection.... Wouldn't it have been easier then? I mean back then, a 1MHz system, you could almost use a Stop Watch to do this lol. Today it would be a difference in like, Milliseconds.

It is interesting though. I haven't used much in my days for password cracking... Being a person who think Social Engineering is still very viable, and someone who also uses password crackers and sniffers for those non-encrypted ones, and basically nothing else, I've used what works when I needed to.

When I first started using Linux, I tried cracking my passwords, but it rarely got far. I've been pretty good about that. Ever since my VERY first password EVER back in September of 1999, which was "azsxdc". I know, it sucks, and it's easy, but, it wasn't a word, and I was using a Computer seriously for the very first time.

The problem with this attack is that it is very noisy. If my assumptions are correct, in order to cope with the timing issues presented by the internet, they will have to try each letter many times and take an average of it. The attack is definitely feasible, but has a lot of issues in my opinion. The biggest concern is the network traffic and how that affects the time with responses coupled with the fact that you are looking for differences in time that is literally nanoseconds. This kind of makes me think of the attack being impractical but I will have to see what the researchers say. They could have somehow found a way to make network response time reliable

The problem with this attack is that it is very noisy. If my assumptions are correct, in order to cope with the timing issues presented by the internet, they will have to try each letter many times and take an average of it. The attack is definitely feasible, but has a lot of issues in my opinion. The biggest concern is the network traffic and how that affects the time with responses coupled with the fact that you are looking for differences in time that is literally nanoseconds. This kind of makes me think of the attack being impractical but I will have to see what the researchers say. They could have somehow found a way to make network response time reliable

Heh, I was agreeing with you in an AP assignment and I think I just boosted you quite a bit lol. Man that's awesome lol, your two dots just got more friends from one AP assignment lol. Anyway, I thought I'd post just in case someone wondered how the crap someone went from TWO APs to like 5 in one post. It's not abuse, I gave him a greenie for that post.

Heh, I was agreeing with you in an AP assignment and I think I just boosted you quite a bit lol. Man that's awesome lol, your two dots just got more friends from one AP assignment lol. Anyway, I thought I'd post just in case someone wondered how the crap someone went from TWO APs to like 5 in one post. It's not abuse, I gave him a greenie for that post.

heh, I was wondering that myself >.< Looks like I now have enough green to romp with the big leagues <@)

Yes, there are a ton of variables in this. It seems it could be mitigated pretty easily by putting a random delay in the range of 1-15ms before sending back a response upon a bad password being entered...

\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

Yeah, my first thoughts on mitigation was have the password submitted in its entirety and check it in its entirety before giving a virtually identically similar response time reply.

My thinking was to look at the % of error............humans won't make that high a %?.............a typo, transposition error or something like that?

Then you will know if you have an attack.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

#2. CPUs 25 years ago were slow enough that you could WATCH this. Today, with CPUs more than 20x the speed of the average system back then, and of course, Ethernet being more than a few MBs a second, and most people using a WAY slower net connection.... Wouldn't it have been easier then? I mean back then, a 1MHz system, you could almost use a Stop Watch to do this lol. Today it would be a difference in like, Milliseconds.

This doesn't really change anything. Assuming that the response time of the connection is reliable (local attack, attack using server side timer ex google: "About 4,580,000 results (0.54 seconds)"), a program can be written using a smaller measurement of time than seconds, or even ms. Ticks, for example, http://msdn.microsoft.com/en-us/libr...ime.ticks.aspx
are a pretty small unit of measurement when dealing with time. For example, if a program were to have a linear scale of login response times, and if the first character is correct, the response takes X ticks, then two would take 2X, three would be 3X and so on. So the idea is the same as 25 years ago, its just scaled, where X would be a lot larger as you use an older computer. At least thats how I understand it.

#2. CPUs 25 years ago were slow enough that you could WATCH this. Today, with CPUs more than 20x the speed of the average system back then,

I would try more like 2,000x................4.7MHz compared to 2.8GHz?............anyways, I agree, I just thought you understated your case a bit?

As for this threat, I don't take it that seriously, given that most decent systems give you 3-5 strikes before locking you out for at least 30 minutes?

Just look at the math?..............a random password of 12 characters will take forever?................my passwords are all >20 characters

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?